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EXECUTIVE SUMMARY 


The NAT is a coalition of leading online advertising companies 
committed to developing actionable self-regulatory standards that 
establish and reward responsible business and data management 
practices and standards.’ In December 2008, the ΝΑΙ revised the self- 
regulatory code of conduct governing the collection, use, and 
disclosure of data for online advertising services by its member 
companies (“NAI Code”).? Among other things, the revised Code 
requires that member companies undergo an annual review of their 
compliance with the requirements of the NAI Code. 


The NAI has now completed an evaluation of the NAI member 
companies subject to review.’ This report: (1) provides background 
on the NAI and its compliance mission; (2) explains the methodology 
used in the 2009 annual compliance review; and (3) sets forth the 
NAI’s findings with regard to the compliance of the evaluated member 
companies. 


Throughout the compliance process, the evaluated member 
companies provided extensive information and otherwise cooperated 
with NAI Staff, resulting in a thorough examination of their business 
practices.* Members were first required to respond to a detailed 


; The ΝΑΙ and its members are committed to online advertising practices that 


address consumers’ privacy expectations. Through a variety of business models, NAI 
members enable Web content and services providers to enhance the relevancy of the 
online display advertising provided to consumers. This increased relevancy of 
advertising, in turn, generates a variety of benefits, including increased revenue to 
support consumers’ continued access to Web content and services without charge. 

In connection with online behavioral advertising, the NAI’s self-regulatory code 
concurrently provides a comprehensive framework for consumer notice and choice. 

a See ΝΑΙ 2008 Principles: The Network Advertising Initiative’s Self Regulatory 
Code of Conduct, available at 

http ://networkadvertising.org/networks/2008%20NAI%20Principles_final%20for%2 
OWebsite.pdf. 

3 The 2009 compliance process applies to the 23 companies that were NAI 
members as of January 1, 2009. These 23 companies are referred to in this 
document as “evaluated members” or “evaluated member companies.” As discussed 
in further detail below, members admitted after this date are independently 
evaluated as part of the membership application process. The NAI expects its 2010 
Annual Compliance Review to encompass 35 member companies. 

4 Section III’s findings detail the areas in which NAI member companies’ 
compliance remains subject to continuing review by NAI Staff. 
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questionnaire describing their practices and policies as they relate to 
NAI compliance, and to provide supporting documentation. A 
compliance team consisting of three NAI attorneys reviewed members’ 
responses to the questionnaire, and independently evaluated the 
member companies’ business practices as described on their Web 
sites, privacy policies, proprietary business materials, terms of service, 
contracts with advertising partners, and marketing materials. The NAI 
compliance staff also used independent technical methods to assess 
the responses provided. The NAI compliance staff then conducted a 
multi-stage interview process with high-level management and 
relevant engineering personnel. 


Throughout the review process, the NAI compliance staff made 
compliance findings, educated members about NAI requirements, and 
informally shared best practices suggestions with NAI members. Asa 
result, in addition to the formal evaluation from NAI Staff contained in 
this report, the compliance process has resulted in enhancements to 
member companies’ business practices, disclosures, and opt out 
mechanisms for online behavioral advertising (“OBA”). 


NAI Staff’s review produced valuable information about the 
compliance of its member companies, as well as areas in which the 
NAI and its members could do more to improve transparency and 
choice. The review demonstrated that the evaluated member 
companies met their compliance obligations with respect to the great 
majority of the requirements of the NAI Code. The NAI Code 
encompasses ten subject areas that include approximately twenty 
substantive requirements for the NAI and its member companies. NAI 
Staff found no compliance deficiencies with respect to eighteen of 
those twenty requirements.” ΝΑΙ Staff did, however, find a need for 


2 In the order in which they appear, the following member requirements are 


generally provided for in the NAI Code, and as applied to data used for OBA: 
maintaining an NAI Web site; member education of consumers; member-provided 
notice of behavioral advertising practices; contractually requiring Web site partners 
to display notice and choice; prohibiting the creation of interest segments targeting 
children under 13 without parental consent; limiting the use of interest segments 
only for marketing purposes; not collecting personally identifiable information (PII) 
from third parties in the absence of a contractual relationship; limiting changes in 
privacy policies; prohibitions on the use of data following a change in privacy policy; 
contractual requirements for the sharing of PII; contractual requirements for the 
sharing of non-aggregate, non-PII; providing access to PII use; obtaining data from 
reliable sources; providing reasonable security for data; limiting retention of such 
data; abiding by applicable law; supporting maintenance of the NAI consumer 
complaint mechanism, and responding to consumer questions regarding compliance. 
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improvement with respect to some members’ disclosure of their 
retention periods for data used for online behavioral advertising, and 
in members’ efforts to enforce contractual requirements that their Web 
site partners implement notice and choice disclosures for OBA. 


Consistent with the NAI Code’s transparency requirement, the 
NAI continues to host a centralized consumer choice mechanism that 
allows consumers to opt out of online behavioral advertising by some 
or all of the NAI’s member companies. To date in 2009, there have 
been nearly a million unique visitors to the NAI’s main Web page, and 
nearly 300,000 unique visitors who went through the NAI’s opt out 
process.° 


Additionally, the NAI’s Web site hosts a variety of educational 
materials that explain in a consumer-friendly manner and through a 
variety of different mediums what cookies are; how they are used for 
behavioral advertising; and the tools available to consumers to control 
the use of data for behavioral advertising. This summer, using ad 
impressions donated by its membership, the NAI launched a campaign 
of online ads linking to its educational site. To date this campaign has 
delivered approximately 185 million ad impressions. 


In 2009, NAI members have developed new best practices for 
transparency in online behavioral advertising by developing consumer- 
facing tools that allow consumers to examine and change the 
predictive interest-related segments stored in connection with their 
browser cookies. NAI member companies Google, Yahoo, BlueKai, and 
Safecount have developed innovative and robust approaches that offer 
consumers a variety of different controls.” Other ΝΑΙ member 
companies have continued to develop educational tools, such as video 
and blog entries.® 


With respect to notice, all the evaluated member companies 
include notices on their Web sites that describe their data collection, 
transfer, and use practices as required by the NAI Code. They also 
uniformly include provisions in their standard contracts requiring Web 


2 See Section III(A)(1) findings, infra. 
See http://www.google.com/ads/preferences/view; 

http://info. yahoo.com/privacy/us/yahoo/opt out/targeting/; 

http://tags. bluekai.com/registry; http://www.safecount.net/yourdata.php. 


; See Section III(A)(2) findings, infra. 
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site partners to display NAI-required notice wherever data is collected 
or used for their behavioral advertising services. 


NAI Staff also found that the evaluated member companies have 
appropriate mechanisms in place permitting consumers to exercise the 
choice to opt out of behavioral advertising, and that they honor those 
choices. NAI Staff’s testing of members’ opt out tools throughout the 
year demonstrates that they function well.? Significantly, the ΝΑΙ and 
its member companies have worked to introduce improvements to the 
opt out process, including most notably the NAI’s introduction of a 
beta version of a browser add on to protect consumer opt outs from 
accidental deletion. *° 


NAI Staff also found no compliance deficiencies for the evaluated 
members with respect to the portions of the NAI Code relating to the 
collection and use of personally-identifiable information (“PII”) for 
behavioral advertising purposes. These requirements include the 
requirement for robust notice for prospective merger of PII and non- 
PII, opt in consent for retrospective merger of PII and non-PII, the 
collection of PII from third parties, changes to privacy policies with 
respect to PII, the transfer of PII (as well as non-aggregate non-PII to 
be merged with PII) to third parties, and providing consumers access 
to their PII. Likewise, NAI Staff found no compliance deficiencies with 
respect to provisions of the Code that restrict the use of sensitive data 
for OBA; that prohibit the creation of OBA segments for children under 
13 without parental consent; and that preclude OBA segment use 
other than for marketing purposes. 


NAI Staff further found that the evaluated member companies 
take appropriate measures to ensure the integrity of the non-PII they 
collect, store, and use for behavioral advertising. No compliance 
deficiencies were identified under the Code’s requirements that 
member companies take appropriate measures to ensure that the data 


3 Indeed, of the approximately 1,600 consumer communications received by 


the NAI, only 75 related to issues with members’ opt out tools, all of which the NAI 
helped resolve. See infra at Section IV. 

19 The Opt Out Protector is a Firefox browser add-on designed to protect opt out 
cookies from accidental deletion by helping the browser to “remember” previously 
set opt out preferences for NAI members that are stored in cookies, even if a user 
subsequently invokes the “remove all cookies” browser feature. See 
http://networkadvertising.org/managing/protector_license.asp. 
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they acquire for behavioral advertising come from reliable sources, and 
provide reasonable security for such data. 


With regard to consumer inquiries, both the NAI and its member 
companies maintain mechanisms by which consumers can submit 
questions or complaints related to NAI member companies’ compliance 
with the Code. ΝΑΙ Staff regularly field questions and concerns from 
consumers, working with member companies where necessary, and 
resolving all questions related to NAI compliance. 


In two areas of the NAI Code, a notable number of the evaluated 
member companies needed to make improvements in their 
compliance: (1) the requirement to include a data retention period in 
privacy notices, as required by section III.2(a)(vi) of the Code; and (2) 
the requirement to make reasonable efforts to enforce contractual 
requirements to provide OBA-related notice, or otherwise ensure that 
clear and conspicuous notice and choice are made available on all Web 
sites on which member companies engage in NAI-covered activities, as 
required by sections III.2(b), (c), and (d) of the Code. 


Although the evaluated member companies do provide the 
required notice describing their collection, use, and disclosure of data 
for behavioral advertising purposes on their Web sites, with respect to 
one subset of the notice requirement - disclosing the approximate 
length of time for which such data will be retained - ten member 
companies did not disclose specific retention periods in their privacy 
policies. This requirement of retention specificity is above and beyond 
the NAI’s separate code requirement that OBA-related data be kept 
only as long as necessary to fulfill a legitimate business need, or as 
required by law.* In response to the ΝΑΙ Staff’s findings, all of the ten 
members have either specified their retention periods or provided a 
plan to do 5ο.” 


With respect to the NAI Code requirement of reasonable efforts 
to ensure that OBA-related notice is present on Web publisher partner 


- The NAI’s retention requirement provides an additional level of specificity to 


the self-regulatory standard proposed by Federal Trade Commission (“FTC”) Staff for 
limited data retention (“Companies should also retain data only as long as is 
necessary to fulfill a legitimate business or law enforcement need.”). See FTC Staff 
Report: Se/lf-Regulatory Principles for Online Behavioral Advertising, at p. 47 (Feb. 
2009) (available at http://www2.ftc.gov/os/2009/02/P085400behavadreport. pdf). 


ie See discussion infra at Section III B(2)(A). 
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sites, NAI Staff found that the evaluated members largely lack robust 
programs for enforcing contractual notice requirements, or for 
otherwise ensuring that notice is present where data is collected or 
used for behavioral advertising. NAI Staff recognizes that the 
challenge for members in achieving comprehensive Web publisher 
implementation of OBA-related notice and choice is partly attributable 
to the absence of consistent, industry-wide principles for OBA 
disclosure. The recent adoption by leading advertising and industry 
associations of comprehensive disclosure principles for OBA will likely 
lead in 2010 to a substantial improvement in members’ ability to 
ensure Web site partner notice adoption. Notwithstanding these 
expected improvements in 2010, NAI Staff believes that member 
companies must take additional steps to help implement Web site 
publication of notice and choice mechanisms. Based on the results of 
the 2009 review and the recommendation of NAI Staff, the NAI will be 
developing and implementing a comprehensive partner notice 
implementation plan that aims to further expand notice and choice for 
OBA across the large number of Web publisher sites that partner with 
NAI members. NAI Staff will review individual member plans, monitor 
their implementation, and measure their success, independent of the 
2010 compliance process. 


In addition to compliance assessments under the 2009 review, 
NAI Staff is also making additional best practices recommendations for 
members to augment transparency and choice with regard to 
behavioral advertising in 2010. These recommendations, detailed 
under the relevant substantive provisions of the NAI Code in the 
“Findings” section of this report, include: (1) increased efforts to 
educate consumers about behavioral advertising and the choices 
available to them with respect to such advertising; (2) improved 
prominence and accessibility of members’ notices describing their data 
collection, transfer, and use practices; (3) improved efforts to respond 
promptly to consumer questions implicating members’ compliance with 
the Code. 


In 2010, NAI Staff also intends to pursue other initiatives to 
enhance transparency and choice, including best practices contract 
language for partner Web sites to display notice and choice; increased 
attention to consumer education; and improved methods for 
monitoring consumer questions and complaints relevant to online 
behavioral advertising issues. 


The NAI Staff believes that member companies are, on the 
whole, highly committed to the NAI’s self-regulatory framework. 
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Representatives of the evaluated members expressed commitment to, 
and a desire to learn from, the compliance process, and were anxious 
for further guidance from the NAI on how to best align their business 
practices with the NAI Code. With very few exceptions, the evaluated 
member companies promptly implemented suggested changes in 
practice. The ΝΑΙ believes that the Annual Compliance process, the 
partner notice implementation plan adopted by the NAI, and the other 
initiatives that the NAI and its members are adopting for 2010 will 
further enhance consumer transparency and choice whenever NAI 
members engage in behavioral advertising. 
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2009 ANNUAL COMPLIANCE REPORT 
I. Background 


The ΝΑΙ͂’5 self-regulatory model leverages multiple inputs 
relevant both to compliance and to the development of new best 
practices: these include technical and business-related information 
furnished by NAI members as marketplace participants; information 
relating to different business models and compliance mechanisms; and 
the observations of regulators, advocates, and consumers. These 
inputs help ensure a long-term and viable framework that also assures 
companies that make the affirmative choice to participate in self- 
regulation that their competitors will likewise have incentives to 
adhere to industry norms. 


The ΝΑΙ͂’5 self-regulatory model includes: (1) a binding set of 
rules to which all members must publicly attest their commitment; (2) 
a mechanism for accepting and responding to consumer complaints or 
credible claims relating to compliance; (3) periodic evaluation of 
compliance coupled with public transparency; and (4) mechanisms for 
accountability (including sanctions where applicable). The NAI’s self- 
regulatory program evaluates members’ compliance based on their 
consumer-facing policies and other representations, as well as their 
underlying technology infrastructures, business-to-business contracts, 
and internal practices and procedures. 


In December 2008, the NAI released a revised set of principles 
to govern its member companies’ collection, use, and disclosure of 
information for behavioral advertising. These principles, collectively 
referred to as the NAI’s Self-Regulatory Code of Conduct (“2008 ΝΑΙ 
Code” or “NAI Code”), regulate “Online Behavioral Advertising” (OBA), 
“Multi-Site Advertising,” and “Ad Delivery & Reporting.” OBA is 
defined in the NAI Code as “any process used whereby data are 
collected across multiple web domains owned or operated by different 


- In 1999, the NAI’s founding companies worked with the FTC to establish a 
principled self-regulatory framework that applied fair information practices to the 
complex business-to-business data collection and sharing practices between Web 
publishers and advertising networks. The 2000 NAI Principles, commended by the 
FTC, were the first online advertising framework for self-regulation that explicitly 
addressed the online uses of non-personally identifiable data for advertising. See 
Federal Trade Commission, Online Profiling: A Report to Congress (Part 2, 
Recommendations), at section III (July 2000), available at 
http://www.ftc.gov/os/2000/07/onlineprofiling.hAtm. 
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entities to categorize likely consumer interest segments for use in 
advertising online.” (Code § 11.1.) “Multi-Site Advertising” means “Ad 
Delivery & Reporting’ across multiple web domains owned or operated 
by different entities.” (Code § II.2.) “Ad Delivery & Reporting” means 
“the logging of page views or the collection of other information about 
a browser for the purpose of delivering ads or providing advertising- 
related services,” and includes providing an advertisement based on a 
browser or time of day, statistical reporting, and tracking the number 
of ads served on a particular day to a particular Web site. (Code § 
II.3.) 


As detailed below, the NAI Code imposes transparency, notice, 
and choice obligations on its members. The Code also imposes certain 
limitations on the use and transfer of information to be used for OBA 
or Multi-Site Advertising, requires members to provide reasonable 
access to PII retained for OBA purposes, to protect data used for 
behavioral advertising, and to obtain such data from reliable sources. 
Finally, the Code imposes data retention requirements on its members 
and requires them to adhere to applicable law. 


Membership in the NAI requires public representations that a 
member company’s business practices are compliant with each aspect 
of the Code that applies to its business model. (Code § IV.1(b).) 
These attestations of compliance are subject to enforcement by the 
Federal Trade Commission under Section V of the FTC Act. The NAI’s 
use of this attestation model mirrors that of other initiatives for the 
protection of user data, notably including the Department of 
Commerce’s Safe Harbor Framework for the transfer of the personal 
data of European citizens to the United States. 


As an additional means of ensuring members’ compliance with 
these substantive requirements, the 2008 NAI Code requires members 
to undergo annual compliance reviews and to cooperate with NAI 
designees engaged in the compliance review. (Code § IV.1(c) - (d).) 
This review process is designed to proactively examine NAI member 
companies’ attestations of compliance by ensuring that their business 
practices and public representations are aligned with the requirements 
of the Code. The review process is also intended to educate and 
remind member companies of their obligations under the NAI Code 
and of the sanctions that can result from the failure to honor those 


14 See, e.g., the U.S. Safe Harbor Framework’s Annual Reaffirmation 
Requirement, available at http://www.export.gov/safeharbor/eg_main_018243.asp. 
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obligations, including referral to the NAI Board of Directors, suspension 
or revocation of NAI membership, publication of revocation by press 
release, and referral of non-compliance to the FTC or other 
enforcement Ροαίες. The Code specifies that the results of this 
review, as well as a summary of customer complaints and the 
resolution of those complaints, must be published annually.’® (Code 8 
IV.1(e).) This document is the first annual report to be published 
under these procedures.” 


Per the policies established by the NAI Board, NAI members 
become eligible for annual reviews in “the year following admission to 
the ΝΑΙ as a new member.”*® For 2009, 23 companies have been 
members of the NAI for a year or more and therefore were eligible for 
the annual review.’? Members that joined the ΝΑΙ in January 2009 or 
later have been subject to compliance review as part of the new 
member process, and must attest to compliance with the NAI Code, 
but were not assessed in the 2009 annual review process. Based on 
current levels of membership, the NAI expects that 35 member 
companies will be subject to the annual compliance review in 2010. 


a See NAI Compliance Program Attestation Review Process, at 3 (Feb. 17, 


2009), available at 
http://networkadvertising.org/managing/NAI_COMPLIANCE_AND_ENFORCEMENT_PR 
OGRAM_Attestation_Review_detail. pdf. 

Si Prior to implementing a revised compliance regime in 2008, the NAI worked 
through the TRUSTe Consumer Watchdog mechanism to monitor and report on 
consumer complaints. As of 2009, consumer complaints are being directly handled 
by the NAI. See infra section IV for summary. 

τ ΝΑΙ Staff prepared this annual compliance report. The NAI’s Board was 
allowed the opportunity to review the report prior to approving its issuance, but not 
to alter the substance of the compliance findings. 

18 See NAI Compliance Program Attestation Review Process, infra note 15, at 
section 2. 

19 These 23 companies are as follows: [x + 1], 24/7 Real Media, Akamai 
(aCerno), AlmondNet, Audience Science, BlueKai, Collective Media, Dedicated 
Networks, Fetchback, Fox, Google, interCLICK, Media6Degrees, Microsoft (Atlas), 
Mindset Media, AOL Advertising (formerly Platform A, and including Tacoda and 
Advertising.com), Safecount, Specific Media, Traffic Marketplace, Tribal Fusion, Turn, 
Undertone Networks, and Yahoo (Blue Lithium). 
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II. Methodology 


Under the procedures established by the NAI for compliance 
reviews, NAI Staff review the following materials to assess members’ 
compliance with the NAI Code: (1) representations of business 
practices as set forth in the members’ public and non-public materials, 
including the (a) public Web site, (b) privacy policy, (c) terms of 
service, (d) advertising contracts, and (e) marketing materials; (2) 
responses to an NAI Questionnaire regarding each provision of the NAI 
Code; (3) interviews with senior responsible executives who are 
authorized to bind the company, as well as with relevant engineering 
staff; and (4) responses to any alleged deficiencies in compliance 
raised by the press, other member companies, or the NAI’s consumer 
complaint process (if any).”° 


Under these published NAI procedures, NAI Staff are required to 
advise members on what NAI Principles apply and what modifications 
in business practices may be necessary to bring the company into full 
compliance with the NAI Code. Members must remedy any compliance 
deficiencies, or adopt a plan to do so, within 30 business days of 
identification of the deficiency. NAI Staff may extend this deadline, in 
its discretion, in the event of material technological constraints or 
unavoidable delays. 


The NAI’s compliance program for 2009 was based on 8 multi- 
stage written evaluation and interview process, as well as through a 
separate compliance training mechanism. NAI companies eligible for 
review (i.e. those admitted prior to 2009) were required to provide 
responses to a detailed questionnaire. The questionnaire asked 
members to describe their practices and policies relative to the 
principal NAI Code requirements, and to provide supporting 
documentation. The topics covered by the questionnaire included: 


e Representative provisions of partner contracts requiring NAI- 
compliant notice and choice for OBA and Multi-Site Advertising; 


e Methods of ensuring that partners engaging in the member’s 
OBA and Multi-Site Advertising include NAI-required notice and 
choice; 


20 See NAI Compliance Program Attestation Review Process, infra note 15, at 


section 2. 
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« A technical description of the member’s OBA opt out mechanism, 
including its location, functionality, and testing procedures, as 
well procedures for responding to a malfunction of the opt out, 
and any malfunctions in the opt out tool that have occurred; 


e Contracts, processes, and controls for any sharing or acquisition 
of data used for OBA, Multi-Site Advertising, or Ad Delivery and 
Reporting; 


e Any acquisition or use of de-identified data to support OBA or 
Multi-Site Advertising, including how such data is de-identified; 


e How long data used for OBA, Multi-Site Advertising, or Ad 
Delivery and Reporting is retained and for what purposes it is 
retained; 


e Whether there is any use of sensitive information for OBA or 
Multi-Site Advertising, and what policies and processes exist to 
govern any such use; 


e Descriptions of the policies and practices designed to protect 
data used for OBA, Multi-Site Advertising, or Ad Delivery and 
Reporting; 


e Representative samples of non-public marketing materials and 
training materials relating to OBA; and 


e Descriptions of any complaints relating to ΝΑΙ compliance and 
the resolution of such complaints. 


The questionnaire also reminded members of the results of non- 
compliance, including referral to the NAI Board for sanctions. 


The compliance evaluation and interview process was carried out 
by a team of three NAI attorneys with experience in privacy law, 
corporate compliance, and technology. In addition to reviewing 
members’ responses to the questionnaire, the NAI compliance team 
independently reviewed member companies’ business practices as 
described on their Web sites, privacy policies, terms of service, 
contracts with advertising partners, and marketing materials. In 
addition to publicly available materials, the compliance team reviewed 
business proprietary materials supplied by members. The compliance 
team also used independent technical methods to assess compliance, 
including testing the functionality of members’ opt out tools, reviewing 
the Web sites of members’ partners for notice and choice disclosures, 
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and investigating members’ processes for handling consumer 
complaints. 


NAI Staff then engaged in a multi-stage interview process. For 
these interviews, the compliance team was provided access to high- 
level management and relevant engineering staff. The compliance 
team used the interviews to conduct in-depth assessments of 
members’ business practices, policies, and contract templates. The 
compliance team also engaged directly with technological 
representatives and discussed relevant data flows and opt out 
functionality. 


In addition to assessing members’ business practices and 
technology, the compliance team used these conversations to suggest 
improvements in business practices to enhance transparency and 
choice, even where members’ practices were consistent with NAI 
requirements. For example, in some instances NAI Staff provided 
recommendations on how to make choice mechanisms easier to use. 
As described in further detail below, the compliance team also 
identified any instances in which members’ business practices did not 
meet NAI Code requirements. In those instances, the compliance 
team advised the member about the need to remedy the practice at 
issue, and reached agreement on how the practice would be brought 
into compliance with the Code. As described in the Findings section of 
this report, in one area - member enforcement of the requirement 
that partner Web sites implement notice and choice disclosures for 
OBA - ΝΑΙ Staff is taking additional programmatic steps to assist 
member companies’ compliance efforts. 


Finally, as part of this review, the NAI required member 
companies to attest to their ongoing compliance with the NAI Code 
and the veracity of the information provided in the review process. 
This certification supplements the member’s public attestation that it 
complies with the provisions of the NAI Code. 


III. ΝΑΙ Compliance Findings 


This section of the report sets forth the findings of NAI Staff with 
respect to the compliance of the evaluated member companies with 
each substantive provision of the ΝΑΙ Code.** The findings are 
presented in the order in which the requirements appear in the Code.” 


ae At the time of issuance of this annual report, one company, Specific Media, 


had not provided sufficient information to permit Staff to fully complete its evaluation 
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A. Transparency/ Education 
1. ΝΑΙ Education 
Standard 


The NAI Code requires members to collectively maintain an NAI 
Web site to serve as a centralized portal offering explanations of online 
behavioral advertising and member companies’ compliance with the 
NAI Principles, including information about and centralized access to 
consumer choice mechanisms. (Code § II.1(a).) 


Findings 


The NAI’s Web site hosts educational materials, an explanation 
of the NAI Principles, an opt out page, and a mechanism for 
consumers to register complaints against member companies. There 
were approximately 645,000 unique visits to the NAI’s consumer 
portal in 2008; in 2009, that number rose to over 1,000,000 unique 
visits. 


Visits to NAI Consumer Portal 


Total Unique 
Total User Visits User Visits 


2007 
2008 750,784 644,917 


Year 


2009 YTD”? 1,273,713 1,105,765 


of Specific Media's compliance with the NAI Code, and therefore the results of its 
compliance review are not included in this report's conclusions. The information 
made available by Specific Media to date revealed possible compliance issues with 
certain provisions of the Code, and NAI Staff’s evaluation is continuing. NAI Staff 
may supplement its 2009 Compliance findings as necessary. 

22 NAI compliance is a continuing obligation, and the annual compliance review’s 
findings may be supplemented as appropriate. 


23 
2009. 


The NAI Web site visitor data in this report were current as of December 21, 
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a) ΝΑΙ Consumer Education 


In July 2009, the NAI launched a new consumer education web 
page (http://networkadvertising.org/managing/learn_more.asp) that 
aggregates video, blog, and explanatory content, together with 
information relating to general research and public policy discussion of 
online behavioral advertising. 


NAI Consumer Education Web Page 


Network Advertising Initiative 
< τ (ο 8 http://www.networkadvertising.org/managing/learn_more.asp wy )= (δι 
Most Visited - Getting Started Latest Headlines A 
ΓΙ Network Advertising Initiative + = 
9 "I am the Long Tail” is a vi joni roduc Trom Google 
the IAB (U ebsites 


On Cookies 


Whazit? What are http cookies? How are they used? What 
controls do I have in my browser to set rules for the kinds of 
cookies that are set on my computer? This and much more, 

as you learn about cookies via the following links 


© David Whalen's "Unofficial Cookie FAQ Version 2.6" is ΑΗ 
chock full of information and explanations: Behavioral Advertising explained 
htto://www.cookiecentral.com/faa/ by AOL 
© The Interactive Advertising Bureau of Europe's Cookie 
lab 


http://en.wikipedia.org/wiki/HTTP_cookie 


© There are in-depth books written on the topic, this one 
by Simon St. Laurent: http://www.amazon.com 
Lexec/obidos/ 

© Firefox offers a plugin specific to targeted advertising 
cookies, developed by Christopher Soghoian 

https://addons.mozilla.ora/en-US/firefox/addon/11073 | BP 8 til 

Harvard's Berkman Center Cookie 
Crumble Contest Videos 


Wikis 
These entries contain simple, user-generated and edited 


explanations of important vocabulary and concepts that may 
be of interest: Got Cookies? 


Transferring data from i3.ytimg.com. 


Some of the videos hosted on the ΝΑΙ site were produced by ΝΑΙ 
members (including Google and AOL); others were produced by 
contributors to the FTC’s 2007 Online Behavioral Advertising 
workshop. The videos explain, in plain English, what cookies are, how 
they work, how they can be used by advertisers to categorize 
consumers into interest groups, and how users can delete or block 
them. In addition, the NAI site contains many links to informational 
articles, blogs, and regulatory materials that also explain, in simple 
terms, the technology behind behavioral advertising and how 
consumers may exercise choice with respect to cookies. 


NAI members have published banner ads linking to this 
educational page across their networks through their own educational 
efforts. Collectively, to date NAI members have contributed 
approximately 185 million ad impressions to help consumers obtain 
access to the educational materials on the NAI Web site. There have 
been approximately 60,000 unique page views of the educational Web 
site since it launched this summer. 
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Visits to NAI Consumer Education Page 


Total User Unique User 
Page Views Page Views 


6/01/09 - 12/21/09 64,173 58,686 


b) ΝΑΙ Consumer Opt Out Tool 


Date 


The opt out section of the ΝΑΙ Web site” clearly explains how 
consumers may opt out of online behavioral advertising by one, some, 
or all NAI members; provides consumers information about which 
member companies have active OBA tracking cookies on their 
computers; and is designed to permit consumers to opt out of online 
behavioral advertising by all NAI member companies in only three 
clicks. 


NAI Opt-Out Web Page 


je =) Network Advertising Initiative 
| + |© nup: //networkadvertising.org/managing/opt_out.asp ela 


Consumer Opt-Out | Privacy 


Network Advertising Initiative 


Home Managing Your Privacy Participating Networks About Us Contact Us 
Overview Ν SF: 

Principles Overview Opt Out of Behavioral Advertising 

Opt-Out 

Eea The NAI Opt-out Tool was developed 

Spin bra Glace in conjunction with our members for 

FAQs the express purpose of allowing 

ο bce consumers to "opt out" of the 


behavioral advertising delivered by 
our member companies. 


Using the Tool below, you can 
examine your computer to identify > 5 0:00/3:01 «a EB Cg 
those member companies that have 

placed an advertising cookie file on your computer. 


To opt out of an NAI member's behavioral advertising program, simply check the box that 
corresponds to the company from which you wish to opt out. Alternatively, you can check the box 
labeled "Select All" and each member's opt-out box will be checked for you. Next click the 
"Submit" button. The Tool will automatically replace the specified advertising cookie(s) and verify 
your opt-out status. 


Opting out of a network does not mean you will no longer receive online advertising. It 
does mean that the network from which you opted out will no longer deliver ads tailored to your 
Web preferences and usage patterns. 


If you have any questions, please visit our FAQ section. 


Opt-Out Status 


(Select all Clear (Submit 
Member Company Status Opt-Out 
aCerno No Cookie Opt-Out 1) 
More Information You have not opted out and you have 
--- ΕΕ ΕΕ eer i apie ee e 


The NAI’s opt out page works by accessing URLs hosted on 
member companies’ servers. The URLs generally call scripts on the 


“a http://networkadvertising.org/managing/opt_out.asp 
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members’ servers, which check for or set opt out cookies on that 
member’s domain. All NAI members are required to integrate with the 
NAI opt-out tool as a condition of their membership. The NAI Web site 
also contains an extensive FAQ section to aid consumers who have any 
difficulty in opting out, and, as detailed below, the Web site contains 
contact information for NAI Staff, who regularly assist consumers in 
the opt out process. In 2008, the NAI had approximately 145,000 
unique visitors who entered opt out requests and received the NAI's 
opt out results page; by the end of 2009, that number is expected to 
reach nearly 300,000.” 


NAI Consumer Opt Out Usage 


ΝΑΙ Opt-Out Tool - Page Opt-Out Results Page 
Views Views 


Year Total Unique Total Unique 


2007 1,097,996 798,006 140,661 84,022 


20087° 854,842 553,629 227,758 145,156 
2009 YTD?’ 1,463,660 978,910 472,366 293,550 


In general, the NAI tests the NAI opt out web page on a weekly 
basis, and as needed in response to consumer questions. The testing 
is done from a user’s perspective, replicating the experience a user 
would have under various conditions. The testing always includes 
baseline conditions on current versions of several standard web 
browsers in the two major consumer desktop operating systems, 
Windows and Mac. NAI Staff also occasionally test other conditions, 
such as with web browsers set to block third party cookies, or with or 
without opt out cookies already present. 


In November of this year, the NAI enhanced its opt out tool by 
releasing a beta version of the ΝΑΙ Consumer Opt Out Protector.” The 


23 The consumer usage data for the NAI opt out tool does not include opt out 


requests processed by individual member companies. As described in section 
III(C)(1), member companies are required to individually maintain their own opt out 
tools, and consumers regularly use those tools as well. 


= The drop in traffic between 2007 and 2008 likely reflects the NAI’s adoption of 
new analytic tools. 


27 Numbers are current as of December 21, 2009. 
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Opt Out Protector, which was designed by ΝΑΙ member Bluekai, is a 
Firefox browser add-on designed to help protect opt out cookies from 
accidental deletion. Once installed, the software helps the Firefox 
browser “remember” previously set opt out preferences for NAI 
members that are stored in cookies, even if a user subsequently 
invokes the “remove all cookies” browser feature. 


c) NAI Consumer Inquiry and Complaint 
Mechanisms 


In addition to the substantial educational materials and FAQs on 
the NAI Web site, the NAI also provides contact information for NAI 
Staff to assist consumers in the opt out process and to answer any 
other concerns they may have. As discussed in detail in section IV 
below, NAI Staff has fielded approximately 1,600 general consumer 
communications, resolving all of those that involved NAI or NAI 
member practices. 


2. Member Education 
Standard 


The NAI Code requires members to individually and collectively 
educate consumers about behavioral advertising and the choices 
available to them with respect to behavioral advertising. (Code § 
II.1(b).) 


Findings 


Many NAI members have engaged in substantial and creative 
individual efforts to educate consumers about behavioral advertising in 
accordance with II.1(b) of the Code. Several NAI members have 
assisted the NAI’s educational efforts by contributing a sizeable 
number of ad impressions to the NAI educational campaign, or by 
contributing services to the NAI Web site. Other members support 
educational efforts by speaking and writing on OBA issues and by 
participating in workshops and conferences regarding such issues. 

Still others have made significant contributions to other OBA 


an http://networkadvertising.org/managing/protector_license.asp. 
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educational campaigns, such as the recent initiative sponsored by the 
Interactive Advertising Bureau (ΙΑΒ).” 


NAI members have also developed their own educational 
campaigns, including creative content. These innovative educational 
tools reach consumers in a clear and consumer-friendly manner. For 
example, Google offers a series of videos on the privacy section of its 
Web site that clearly explain cookies and behavioral advertising.” 
Safecount also hosts short informative videos explaining how it uses 
cookies.** AOL hosts a series of easy-to-understand diagrams that 
explain behavioral advertising and the effect of opting out, and also 
hosts a virtual penguin that guides consumers with respect to their 
choices.** Yahoo, BlueKai, Safecount, and Google also provide 
consumers an easy to understand explanation of how online activity is 
used for advertising purposes, and allow consumers to view the 
interest segments associated with their browsers.” 


Although these educational and transparency efforts are 
substantial, the NAI Staff believes that NAI membership, as a whole, 
could do even more, individually and collectively, to educate 
consumers about OBA. The transparency of NAI member companies’ 
practices is an essential element of ΝΑΙ compliance. ΝΑΙ Staff 
accordingly encourages its members to augment their educational 
efforts in 2010. 


See “Privacy Matters” at http://www.iab.net/privacymatters/. 


30 http://www.google.com/intl/en/privacy.html. 


= http://www.safecount.net/ind_overview.php. 


ee See http://www. privacygourmet.com/blog/consumer-education-page.html; 


http ://www.youtube.com/user/AOLCap. 


ae See http://info. yahoo.com/privacy/us/yahoo/opt_out/targeting/; 


http://tags. bluekai.com/registry; http://www.safecount.net/yourdata.php; 

http ://www.google.com/ads/preferences/view. eXelate, an ΝΑΙ member not 
reviewed as part of this compliance report, also allows consumers to view and adjust 
the interest segments associated with their browsers. See 

http ://exelate.com/new/consumers-optoutpreferencemanager.html. 


24 For example, members that have impressions could increase their 


contributions to the NAI educational campaign or to other industry OBA educational 
campaigns; those that do not have impressions could support industry efforts by 
supplying design services, articles, and other educational content. All member 
companies could participate in industry events regarding OBA education and share 
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B. Notice 
1. Member-Provided Notice 
Standard 


Section III.2(a) of the ΝΑΙ Code requires members directly 
engaging in OBA, Multi-Site Advertising, and/or Ad Delivery and 
Reporting to clearly and conspicuously post notice on their Web sites 
that describes their data collection, transfer, and use practices. The 
required notice must include clear descriptions of the following (as 
applicable): (1) the OBA, Multi-Site Advertising, and/or Ad Delivery 
and Reporting activities undertaken by the member; (2) what types of 
data are collected by the member; (3) how such data will be used, 
including any transfer to a third party; (4) the types of PII and non-PII 
that may be merged; (5) an easy-to-use procedure for exercising opt 
in or opt out choice with respect to OBA data use (with the choice 
provided depending on the type of data); and (6) the approximate 
length of time that data used for OBA, Multi-Site Advertising, and/or 
Ad Delivery and Reporting will be retained by the member company. 


Findings 


There has been significant discussion about the optimal approach 
to informing users about the collection and use of their information for 
online behavioral advertising. Although Web site privacy policies have 
historically provided a scalable and consistent means of achieving 
notice across thousands of Web sites of varying size and complexity, 
the 2008 NAI Code expressly allows members the flexibility to pursue 
any disclosure approach so long as it is clear and conspicuous. The 
FTC has expressly encouraged such experimentation.’ 


The NAI and its members have publicly expressed its support for 
the enhanced notice program adopted by leading advertising 
associations, and is currently working with its members and other 
industry groups to provide enhanced forms of notice such as notice in 


best practices. NAI Staff, for its part, will continue to assist in coordinating and 
suggesting best practices for educational campaigns. 


33 FTC Staff Report: Self-Regulatory Principles for Online Behavioral 


Advertising,” infra note 11, at pp. 36-37. 
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or around ads. NAI Staff believes that its subsequent annual 
compliance reviews will show a significant increase in alternative forms 
of notice. Indeed, NAI members Google and Fetchback have already 
built enhanced notice mechanisms that provide notice in or around 
their ads.*° ΝΑΙ Staff encourages members to continue these efforts to 
implement enhanced notice throughout their networks. 


All evaluated members include notices on their Web sites that 
describe their data collection, transfer, and use practices. NAI Staff 
found that member notices are appropriately located and adequately 
describe the OBA, Multi-Site Advertising, and Ad Delivery and 
Reporting activities undertaken, the types of data collected and how 
the data is used and transferred, and descriptions of how to opt out of 
OBA data use in a sufficient level of detail to be understood by 
consumers.’ 


At the time of the 2009 review, however, almost half of the NAI 
members reviewed - ten in total - lacked the information required in 
section III.2(a)(6) of the Code: disclosure of the approximate length 
of time that data used for OBA, Multi-Site Advertising, and/or Ad 
Delivery and Reporting will be retained by the member company.*® 
This requirement of retention specificity is above and beyond the NAI’s 
separate code requirement that OBA-related data be kept only as long 
as necessary to fulfill a legitimate business need, or as required by 
law. In response to the ΝΑΙ Staff's findings, all of the affected 
members have either specified their retention periods or established a 
plan to do so. Six members updated their Web sites to include a 
retention period before this report was issued. Four members whose 
Web sites lack a stated retention period have represented that they 
are in the process of revising their data retention practices and will 
include a retention period for OBA data by the end of Q1 in 2010. 


29 See http://googlepublicpolicy.blogspot.com/2009/10/coming-to-online-ad- 


near-you-more-ads.html; http://www.fetchback.com/press 061509.html. 


37 Through the course of the compliance review, NAI Staff recommended to 


several member companies that they make improvements to their notices, even 
where their notices met the NAI Code’s compliance standards. NAI Staff believes 
that revisions in the placement and/or wording of those notices could further 
improve their consumer friendliness. 

ΒΒ Some of the affected members have noted the challenge in establishing a 
single retention period for all OBA data because of sometimes differing legal and 
contractual requirements. 
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2. Web Site Partner Notice 
Standard 


In addition to providing notice and choice with respect to their 
own Web sites, NAI members must require Web sites with which they 
partner for OBA or Multi-Site Advertising to also post notice and 
provide consumers a means of exercising choice with regard to OBA. 
Specifically, section III.2(b) of the NAI Code requires members to 
require Web sites with which they contract for OBA or Multi-Site 
Advertising services to clearly and conspicuously post notice or ensure 
that notice is made available on the Web site where data are collected 
for OBA or Multi-Site Advertising purposes. Such notice must contain: 
(1) a statement of fact that OBA and/or Multi-Site Advertising is 
occurring; (2) a description of the types of data that are collected for 
OBA or Multi-Site Advertising purposes; (3) an explanation of how and 
for what purposes that data will be used or transferred to third parties; 
and (4) a conspicuous link to the OBA choice mechanism provided by 
the member, and/or the opt out page on the NAI’s Web site. 


In the event a member is notified or otherwise becomes aware 
that a contractee is in breach of these duties, the member is required 
to make reasonable efforts to enforce the contract. (NAI Code § 
III.2(c).) Even in the absence of a contractual relationship, members 
are required to make reasonable efforts to ensure that all companies 
engaging in their OBA, Multi-Site Advertising, and/or Ad Delivery and 
Reporting furnish or require notices comparable to that described. 
(NAI Code § III.2(d).) 


Findings 
a) Contractual Provisions 


Evaluated members submitted provisions from their contracts 
requiring their partners to display NAI-required notice and choice. 
Members verified that these provisions are included in members’ 
standard operating contracts or other standard terms with partner 
sites, in some cases submitting relevant provisions of final executed 
contracts. Many members use sample language provided by the NAI, 
modified as necessary to reflect their business practices.*? Based on 


33 Section II.2(b) of the Code contemplates that there may be means other than 


contractual provisions to “ensure that [] notice [is] made available on the Web site 
where data are collected for OBA and/or Multi-Site Advertising.” As discussed with 
regard to member-provided notice, one way member companies may accomplish this 


23 


2009 ΝΑΙ Annual Compliance Report 


its review of these contractual provisions, NAI Staff believes that the 
evaluated members include appropriate provisions in their contracts, 
consistent with section III.2(b) of the NAI Code. 


b) Enforcement of Contracts 


Although the evaluated member companies have adequate 
contractual provisions to require notice on partner Web sites relating 
to their OBA services, NAI Staff believes that the notices required by 
these contractual provisions are not present on partner Web sites at a 
sufficient level of frequency.*® In exploring the different reasons that 
partner Web sites do not display such OBA-related notice, NAI Staff 
found that one important cause is that evaluated members largely lack 
robust programs for enforcing contractual notice requirements, or for 
otherwise ensuring that notice is present where data is collected or 
used for their behavioral advertising.*t ΝΑΙ Staff believes that the 
evaluated members could take additional steps to help ensure that the 
Web sites where they engage in OBA, Multi-Site Advertising, or Ad 
Delivery and Reporting provide consumers notice consistent with the 
NAI Code. 


NAI Staff also recognizes that the challenge in achieving 
comprehensive Web publisher implementation of OBA-related notice 
and choice is also attributable in part to the absence of consistent, 
industry-wide principles for disclosure in connection with online 
behavioral advertising. The absence of such an industry consensus 
was a contributing factor to some publishers’ lack of implementation of 
OBA-related disclosures. The recent adoption by leading advertising 


is by including NAI-required notice in or around their ads. NAI Staff believes that 
industry progress to such enhanced notice will help ensure the NAI Code objective 
that notice and choice be available wherever OBA occurs. 

40 NAI Staff evaluated membership’s efforts to enforce contractual notice 
requirements in several ways, including considering members’ processes for 
enforcing contractual provisions; reviewing members’ own findings with regard to 
whether the Web sites with which they partner have NAI-required notice and choice 
in place; and by using independent methods to evaluate the availability of notice and 
choice on Web sites on which NAI members collect or use data for OBA. 

a NAI Staff also found that NAI member companies reported increased difficulty 
in securing adoption of consumer OBA notice as the volume and scale of partner Web 
sites in their networks increase. 
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and industry associations of comprehensive disclosure principles for 
OBA will likely lead in 2010 to a substantial improvement in members’ 
ability to secure enforcement of this ΝΑΙ Code requirement.* More 
importantly, NAI Staff believes that the adoption of industry-wide 
principles that promote enhanced notice - including through notice 
delivered in or around OBA advertisements -- will also improve 
consumer access to notice and choice mechanisms wherever 
behavioral advertising occurs. 


Notwithstanding these anticipated improvements in 2010, the 
NAI Code imposes an obligation that NAI members make reasonable 
efforts to ensure that their Web site publishing partners provide notice 
and choice wherever they engage in OBA. Based on the results of the 
2009 review and the recommendation of ΝΑΙ Staff, the ΝΑΙ will be 
developing and implementing a partner notice implementation plan 
that aims to expand notice and choice for OBA across Web publisher 
sites that partner with NAI members. Among other things, NAI Staff 
will review members’ individual plans for introducing and requiring 
OBA-related notice and choice at the initiation of a relationship with a 
Web site partner; members’ on-going processes for evaluating 
whether notice is present on partner Web sites where they collect and 
and/or use data for behavioral advertising; and their policies and 
procedures for corrective measures for Web sites found not to be 
meeting these requirements. 


ΝΑΙ Staff will work with members in these efforts to enforce the 
partner notice requirement by providing training materials to assist in 
educating Web publisher partners; compiling and sharing model 
language; and sharing best practices for Web publisher cooperation. 
NAI Staff will review member plans and monitor their implementation. 
To further ensure that progress is timely, NAI Staff will reassess 


A The “Associations Principles” were released in July 2009 by leading 


advertising industry associations to govern the collection, use, and transfer of 
information for OBA. Section II.B of the Associations Principles requires that when 
data is collected from or used on a Web site for OBA purposes, the operator of the 
Web site include a clear, meaningful, and prominent link on the webpage where data 
is collected or used for such purposes that links to a disclosure that describes the 
OBA taking place, states the adherence to the Principles, and contains an opt out 
mechanism. This disclosure is not necessary when “enhanced notice” is provided by 
the third party placing the ad. Section II.A(2)(a) provides that this enhanced notice 
may be provided either in or around the ad, or on the web page where data is 
collected. See AAAA/ANA/BBB/DMA/IAB Principles, available at http://www.the- 
dma.org/government/ven-principles%2007-01-09%20FINAL. pdf 
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members’ success in enforcing Web publisher notice requirements 
independent of the 2010 annual compliance review. 


c) Reasonable Efforts to Provide Notice in 
the Absence of Contracts 


Some NAI members engage in OBA, Multi-Site Advertising, 
and/or Ad Delivery and Reporting using business models that do not 
permit a direct contractual relationship with every entity participating 
in those activities with them. For example, some members place 
advertising on ad networks using standard insertion orders such as 
those adopted by the IAB, or by purchasing ad inventory through an 
ad network or ad exchange. In these cases, the member's relationship 
is with the ad network, not with the Web site where OBA data will 
ultimately be collected or used. Nevertheless, NAI members are 
required to make reasonable efforts to ensure that companies 
participating in their OBA, Multi-Site Advertising, or Ad Delivery and 
Reporting furnish notice comparable to that required where there is a 
direct contractual relationship with the Web site. 


As noted in the discussion of enforcement of contractual 
provisions above, NAI Staff believes that OBA-related notice and 
choice disclosures are not present on partner Web sites at a sufficient 
level of frequency. As also previously discussed, the adoption of 
industry-wide principles is expected in 2010 to contribute to 
improvements in OBA-related disclosure. NAI Staff believes that 
notwithstanding these coming changes to the OBA ecosystem, NAI 
member companies can augment their efforts to ensure that notice 
and choice are present wherever they engage in OBA, even where they 
do not have a contractual relationship with the parties displaying their 
ads. NAI Staff recognizes the additional challenge that these indirect 
relationships pose to NAI member companies. Nevertheless, NAI Staff 
will work with members to develop plans that help ensure that notice 
is present wherever they collect or use data for OBA purposes, even in 
situations in which they do not have a direct contractual relationship 
with the Web publisher. 


C. Choice 
Standard 


As set forth above, members are required to give consumers 
choice with respect to their use of data for OBA purposes. The type of 
choice members “must provide and honor” depends on the type of 
information used. (Code § III.3(a).) Specifically, and most 
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commonly, members must provide and honor an opt out mechanism 
for the use of non-PII for OBA purposes. (Code § III.3(a)(i).) This opt 
out mechanism must be available both on the member’s Web site and 
on the ΝΑΙ consumer Web site. (Id.) 


If a member intends to merge non-PII with PII going forward 
(prospective merger), the member must provide robust notice as well 
as an opt out mechanism. (Code § III.3(a)(ii).) If a member merges 
PII with previously-collected non-PII for OBA purposes (retrospective 
merger), the member must require a consumer’s opt in consent. 
(Code § III.3(a)(iii).) Members also must obtain opt in consent to use 
Sensitive Consumer Information. (Code § III.3(a)(iv).) “Sensitive 
Consumer Information” is defined to include Social Security Numbers 
and other government-issued identifiers, insurance plan numbers, 
financial account numbers, precise real-time geographic location 
derived through GPS-enabled services, and precise information about 
past, present, or potential future health or medical conditions or 
treatments. (Code § II.8.) 


Findings 
1. Opt Out for OBA 


As described above, consumers can opt out of collection of their 
data for OBA purposes by any or all of the NAI member companies on 
the NAI Web site. In addition, every member must provide an easy- 
to-use procedure for opting out of use of data for OBA purposes on its 
own Web sites. NAI Staff determined that the evaluated member 
companies provide an appropriate and functioning opt out mechanism 
on their Web sites. As part of the review process, ΝΑΙ Staff also 


a3 A NAI Member Company, Undertone, implemented a significant infrastructure 


change that caused it to lose the ability to read the consumer data connected with its 
previous cookie-serving domain. The data included opt-out preference data 
associated with the previous cookie domain. Thus, in addition to Undertone losing 
the ability to use previously-collected data for OBA, consumers who had previously 
opted out needed to renew their opt out for any future behavioral targeting by 
Undertone. Undertone has since publicly disclosed the event, implemented 
enhanced privacy controls, and continues to work with the NAI’s Compliance Staff to 
implement procedures and training to avoid similar occurrences in the future. 
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shared, and members adopted, best practices recommendations for 
opt out placement and functionality.** 


In addition to ensuring that evaluated members provide an opt 
out mechanism, NAI Staff sought to ensure that members also honor 
consumers’ opt out choices. As detailed in section III(A)(1)(b), above, 
NAI Staff regularly tests the opt out mechanisms provided by its 
member companies to ensure that they function as expected on the 
NAI opt out page. NAI Staff engaged in additional testing of all 
members undergoing review both on the NAI opt out web page and on 
the members’ own sites. Specifically, NAI Staff checked members’ opt 
out cookies to ensure: 1) that they were present after engaging the 
opt out; and 2) that they are set to a minimum five-year lifespan.* 
Furthermore, in any instances in which NAI Staff’s testing indicated 
that a member was continuing to set cookies for other business 
purposes after a consumer has opted out of behavioral advertising, 
NAI Staff conducted a review with each member to verify that such 
cookies are used for non-OBA purposes and that consumers’ opt out 
choices are honored.*° 


Although NAI Staff encountered very few issues with opt out 
functionality in 2009, ΝΑΙ Staff recommends that members enhance 
the reliability of their opt out mechanisms through more systematic 


NAI Staff in some instances recommended changes in the placement and 


prominence of opt out links. Additionally, NAI Staff recommended that non-essential 
cookies be expired upon the setting of an opt out cookie. 

oe This summer the NAI established a policy that all NAI member companies 
must implement a minimum five-year lifespan for their opt-out cookies, as soon as 
reasonably feasible. 

ze NAI Staff’s review of member cookie use under the NAI Code included the 
use of local shared objects, such as Flash cookies. All of the evaluated members 
confirmed that they do not use such technologies for OBA. 


a7 In 2009 NAI Staff identified several minor functionality problems with the NAI 
opt out tool. First, when browsers are set to block third party cookies and an opt out 
attempt is made, the user should get a report that the attempt failed. While blocking 
third party cookies has the practical effect of disabling any OBA, in a handful of 
cases, members’ scripts incorrectly reported that an opt out cookie had been placed. 
This issue is in the process of being remedied. Second, the NAI opt out page 
includes a feature that reports whether or not an “active cookie” is present in the 
user's browser. NAI Staff has worked with a number of members to ensure that the 
relevant scripts report the correct state. Finally, Staff has addressed member- 
specific issues, such as in the instance a member's opt out script was reporting a 
failed opt out even though the opt out cookie had actually been set. 
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testing. NAI Staff will continue to refine its specifications for opt out 
functionality, integration with the NAI opt out page, and other tools. 
The NAI recently issued a revised and more detailed functional 
specification for integration with the NAI opt out web page. In 2010, 
the NAI Staff plans to issue additional guidance to members on 
maintaining the functionality and security of opt out tools, including 
the prevention of inadvertent malfunctions resulting from Web site 
configuration changes. 


2. Merger of PII and Non-PII 


NAI Staff’s review of member companies’ practices revealed no 
compliance deficiencies with respect to the merger of PII with non-PII 
on a going-forward or retrospective basis. PII is defined in the NAI 
Code to include “name, address, telephone number, email address, 
financial account number, government-issued identifier, and any other 
data used for or intended to be used to identify, contact or precisely 
locate a person.” None of the evaluated member companies have 
merged PII with non-PII for OBA purposes, or expressed plans to do so 
in the future. Sections III.3(a)(ii) and III.3(a)(ii) of the ΝΑΙ Code 
require robust notice or opt in consent only in the event of such a 
merger. 


3. Sensitive Information 


For the evaluated members, ΝΑΙ Staff found that financial 
account numbers, insurance plan numbers, social security numbers or 
other government-issued identifiers, or precise real-time geographic 
location information are not being collected or used for OBA purposes. 
The compliance process demonstrated that evaluated member 
companies have a uniformly high awareness of the sensitivity of this 
data, and have protections in place to ensure that it is not to be 
collected or used for OBA without the consumer consent mechanisms 
specified by the Code. 


NAI Staff’s review revealed no compliance deficiencies under the 
NAI Code with respect to its provisions relating to sensitive health 
information. The evaluated companies have policies in place for 
evaluating any potential collection or use of health-related information 
for OBA purposes or the creation of any health-related interest 
segments. These policies and procedures are designed to delineate 
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non-sensitive, as opposed to potentially sensitive, types of consumer 
information consistent with the ΝΑΙ Code.* 


D. Use Limitations 
1. Children 
Standard 


The NAI Code prohibits the use of non-PII or PII to create OBA 
segments specifically targeted at children under 13 without verifiable 
parental consent. (NAI Code § III.4(a).) 


Findings 


None of the evaluated members were found to create segments 
specifically targeting children under thirteen, and ΝΑΙ Staff’s review 
revealed no compliance deficiency with respect to this provision of the 
Code. The member companies have processes and procedures in 
place to ensure that segments specifically targeted at children under 
thirteen are not created or used. 


2. Marketing Purposes 
Standard 


Under the NAI Code, members directly engaged in OBA are 
prohibited from using, or allowing the use of, OBA segments other 
than for marketing purposes. (ΝΑΙ Code § III.4(b).) 


Findings 


None of the evaluated members were found to use, or allow the 
use of, OBA segments for any purposes other than marketing, and NAI 
Staff’s review revealed no compliance deficiency with respect to this 
provision of the Code. The evaluated members report using OBA data 
only for purposes of determining likely consumer interests and serving 
ads to consumers. To the extent the evaluated members share non- 
aggregate non-PII, they do so for the purpose of allowing the third 
party receiving the data to deliver targeted ads to consumers. 


48 When the NAI released the 2008 Code, the NAI indicated that it would 
develop an implementation guideline governing Sensitive Consumer Information. 
(Code § 11.8, n. 4.) The ΝΑΙ is continuing its work to provide more detailed guidance 
relating to the application of the health-related provisions of the Code. 
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3. Collection of PII in Absence of Contract 
Standard 


The NAI Code forbids the collection of PII for OBA purposes in 
the absence of a contractual relationship with the company. (NAI 
Code § III.4(c).) 


Findings 


None of the evaluated members were found to collect PII for 
OBA purposes from third parties, and NAI Staff’s review revealed no 
compliance deficiency with respect to this provision of the Code. 


4. Changes of Privacy Policy With Regard to PII 
Standard 


The NAI Code provides that if a member changes its own privacy 
policy with regard to PII and merger with non-PII for OBA purposes, 
prior notice must be posted on the member’s Web site, and any 
material change shall only apply to changes collected following the 
change in policy. (ΝΑΙ Code § III.4(d).) Further, if data is collected 
under a privacy policy that states that data would never be merged 
with PII, such data may not be later merged with PII in the absence of 
an opt in consent from the consumer. (NAI Code § III.4(e).) 


Findings 


None of the evaluated members were found to have changed 
their privacy policies to allow the merger of PII with non-PII, and NAI 
Staff’s review revealed no compliance deficiency with respect to this 
provision of the Code. 


E. Transfer & Service Restrictions 
1. Sharing of PII 
Standard 


NAI members must contractually require any third parties to 
which they provide PII for OBA or Multi-Site Advertising to adhere to 
applicable provisions of the ΝΑΙ Code. (ΝΑΙ Code § III.5(a).) 
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Findings 


None of the evaluated members were found to share PII for OBA 
or Multi-Site Advertising purposes with third parties, and ΝΑΙ Staff’s 
review revealed no compliance deficiency with respect to this provision 
of the Code. 


2. Sharing of Non-Aggregate Non-PII 
Standard 


When members provide non-aggregate non-PII to third parties 
to be merged with PII possessed by the third parties for OBA or Multi- 
Site Advertising services, they must contractually require the third 
parties to adhere to applicable provisions of the Code. (NAI Code § 
III.5(b).) 


Findings 


None of the evaluated members were found to be sharing non- 
aggregate non-PII to be merged with PII possessed by third parties. 
Those members that do share non-aggregate, non-PII include 
provisions in their contracts governing such sharing to ensure that 
non-aggregate non-PII is protected and not merged with PII. ΝΑΙ 
Staff’s review of those contractual provisions and members’ internal 
policies with regard to any such sharing revealed no compliance 
deficiency with respect to the requirement that members take 
appropriate measures to protect the non-aggregate non-PII that they 
share with third parties. 


Ε. Access 
Standard 


Members are required to provide consumers with reasonable 
access to PII, and other information associated with that PII, retained 
by the member for OBA or Multi-Site Advertising purposes. (NAI Code 
§ III.6(a).) 


Findings 


None of the evaluated members were found to be using PII for 
OBA or Multi-Site Advertising purposes. Accordingly, the requirement 
of access to PII and associated non-PII data under section III.6(a) was 
not implicated. 
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G. Reliable Sources 
Standard 


Members are required to make reasonable efforts to ensure that 
they are obtaining data for OBA, Multi-Site Advertising, and/or Ad 
Delivery and Reporting from reliable sources. (NAI Code § III.7(a).) 


Findings 


Upon review of members’ responses to the NAI questionnaire 
and supporting materials, NAI Staff found no compliance deficiency 
with respect to the requirement that members make reasonable efforts 
to ensure that the data they obtain for OBA, Multi-Site Advertising, 
and/or Ad Delivery and Reporting come from reliable sources. Most 
members report obtaining such data from NAI members that are 
bound by the NAI Code, or from companies that are applying to 
become NAI members and are bringing their practices into alignment 
with the NAI Code. Some members reported obtaining data to be 
used for OBA purposes from entities that are not NAI members. In 
those instances, the relevant members have a process in place to 
ensure that the companies from which they obtain data have 
appropriate protections to ensure reliability. For example, members 
that obtain OBA data from third parties conduct due diligence on those 
sources -- including investigating from where the data was derived and 
whether it was obtained with appropriate disclosure -- in order to help 
verify that it is complete and accurate. 


H. Security 
Standard 


Members that collect, transfer, or store data used in OBA, Multi- 
Site Advertising, and/or Ad Delivery and Reporting are required to 
provide reasonable security for that data. (NAI Code § III.8(a).) 


Findings 


NAI Staff’s review revealed no compliance deficiencies with 
respect to members’ obligation to provide reasonable security for data 
used for OBA, Multi-Site Advertising, and/or Ad Delivery and 
Reporting. NAI Staff reviewed member companies’ descriptions of 
their security policies and protections, in order to establish that the 
member companies had conducted an appropriate evaluation of the 
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technological, administrative, and physical protections for data subject 
to the ΝΑΙ Code.” 


I. Data Retention 
Standard 


Members engaged in OBA, Multi-Site Advertising, and/or Ad 
Delivery and Reporting are required to retain data collected only as 
long as necessary to fulfill a legitimate business need, or as required 
by law. (NAI Code § III.9(a).) 


Findings 


As separately discussed above, ten members lacked disclosures 
relating to the approximate length of retention of data for OBA, Multi- 
Site Advertising, and Ad Delivery and Reporting, and have remedied 
(or are in the process of remedying) those disclosures. NAI Staff’s 
evaluation of the actual periods for which members report retaining 
data for these purposes found that member companies articulated 
legitimate business needs for their retention practices. 


As part of the review process, NAI Staff reminded members of 
the need to keep pace with evolving best practices, including 
minimizing the data retained. For instance, NAI Staff suggested to 
several members that they limit the lifespan of their OBA cookies, or 
to limit retention periods for data logging only to the length of time 
practically necessary. 


J: Applicable Law 
Standard 


Members are required to adhere to all applicable laws. Where 
the requirements of applicable law exceed or are in conflict with the 
Code, members must abide by applicable law. Where the 
requirements of the Code exceed those of applicable law, members 
must conform to the higher standards of the Code (insofar as 
compliance with the Code is not contrary to applicable law). (NAI 
Code § III.10.) 


42 The NAI’s review process under the Code did not function as a formal audit of 


data security, although any such audits undertaken by member companies were 
considered as part of the review process. 
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Findings 


NAI Staff’s review showed no evidence of violations of the 
“applicable law” provision of the NAI Code. 


K. Consumer Communications 
Standard 


NAI members are required to maintain a centralized mechanism 
linked to the NAI Web site to receive consumer questions or 
complaints relating to members’ compliance with the Code. (NAI Code 
§ IV.2(a).) NAI members also are required to respond to and make 
reasonable efforts to resolve questions implicating their compliance 
with the NAI Code within a reasonable period of time. (NAI Code § 
IV.2(b).) 


Findings 


The NAI Web site contains a form, phone numbers, postal 
addresses, and email addresses, all of which permit consumers to 
submit questions or complaints relating to members’ compliance with 
the Code as required by NAI Code § IV.2(a). As detailed in section V, 
the NAI fields hundreds of consumer inquiries through these 
mechanisms. 


NAI Staff tested members’ compliance with section IV.2(b) of 
the NAI Code by reviewing members’ sites for a mechanism that 
permits consumers to submit questions or concerns regarding NAI 
issues, and then independently testing member companies’ responses 
to consumer questions regarding their opt out procedures. Most of the 
evaluated member companies responded promptly and with 
informative responses. 


In some instances, however, NAI Staff found that members’ 
responses to these inquiries were insufficiently responsive or untimely. 
NAI Staff reminded these members of the need to have a contact 
mechanism on their Web sites, and to respond to any questions or 
concerns related to NAI compliance in a timely manner. At the time of 
writing this report, NAI Staff believes that the affected members have 
made changes to their mechanisms for responding to consumer 
questions, or are otherwise aware of the issue and are making efforts 
to ensure that consumer questions are timely and accurately 
addressed. NAI Staff will continue to monitor members’ responses to 
consumer questions and concerns in 2010, in order to help ensure that 
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consumer questions regarding NAI-related matters are timely 
addressed. 


IV. Customer Communications 


The NAI receives queries and complaints from consumers 
through multiple mechanisms: these include a form on the NAI web 
site, email, postal mail, and telephonic inquiry. NAI Staff makes every 
effort to respond in a reasonable and timely manner. Beginning in 
2009, NAI Staff was required to “produce an annual summary of the 
nature and number of consumer complaints received, the nature and 
number of complaints that were escalated to membership and the 
nature and number of matters referred to the Board, specifying the 
name of companies, if any, that were sanctioned for failure to remedy 
compliance defects.”°° 


In 2009, the NAI tracked consumer inquiries of all types, not just 
those that might qualify as complaints. These communications are 
classified into four categories: “Member Related,” “NAI Related,” “Not 
NAI or Member Related,” and “Inquiry Unclear.” The following 
summarizes the breakdown of consumer communications the NAI 
received in 2009: 


NAI Consumer Communications 
226 


O Member Related 

Β ΝΑΙ Related 

ΕΙ Not ΝΑΙ or Member 
Related 

E Inquiry Unclear 


ay See NAI Compliance Program Consumer Complaint Process, 


http://networkadvertising.org/managing/NAI_COMPLIANCE_AND_ENFORCEMENT_PR 
OGRAM_Consumer_Complaint_detail.pdf. 
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NAI Staff believes that it has resolved all consumer communications it 
received in 2009 that are related to NAI matters and are conducive to 
resolution.>* 


“Member Related” communications are those that require action 
on the part of an NAI member to resolve. When a “Member Related” 
issue is identified, it is escalated to the relevant member and NAI Staff 
track the member’s progress in resolving the issue. All of the 
“Member Related” communications identified in 2009 pertained to a 
limited number of functionality issues with certain members’ opt out 
tools.” Each of the affected member companies promptly resolved the 
issues. 


Communications classified as “NAI Related” are relevant to the 
NAI, but do not require action on the part of an NAI member. These 
communications account for just over half of all consumer inquiries. 
For the most part these communications relate to the NAI opt out tool, 
and are handled by Staff through direct communication with 
consumers. Of this particular subcategory, the majority of the 
questions arise from conflicts between consumers’ pre-existing 
software or computer settings, and the operation of the NAI’s opt out 
tool (for example, browsers preconfigured to reject all third party 
cookies, including opt out cookies from ΝΑΙ members).*° 


Consumer communications classified as “Not NAI or Member 
Related” are those that do not pertain to the NAI’s mission. For 
example, the NAI receives numerous messages from consumers 
seeking to unsubscribe from email marketing. The NAI also receives 
numerous messages from consumers with queries intended for 
operators of Web sites not affiliated with the NAI. This occurs because 
the NAI-required notice and link to the ΝΑΙ site within a Web site’s 
privacy policy may be the only readily-discernible contact information 


34 The consumer inquiry data are current as of December 21, 2009. 


22 These complaints resolved to only six discrete functionality issues with 
particular members’ opt out tools. 

3 For the NAI Web site tool’s hundreds of thousands of visitors, an extensive 
FAQ provided attempts to address known issues (such as for the limited number of 
users with blocked third party cookie settings). 
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for that site. These communications account for approximately one 
third of all communications the NAI received in 2009. 


“Inquiry Unclear” consumer communications are those where the 
purpose of the message is not discernible by NAI Staff. Messages that 
are clearly spam are deleted and not counted. For other messages in 
this category, NAI Staff respond requesting a specific query or 
complaint. 


Based on experience in fielding OBA-related questions and 
complaints, the NAI will continue to work to adopt enhancements to 
the messaging and functionality of the NAI Web site. In 2010, NAI 
Staff also plans to improve its procedures for logging and tracking 
consumer complaints and to track the performance of its members 
throughout the year. 


V. CONCLUSION 


The NAI’s 2009 compliance review process provided 
comprehensive insight into the behavioral advertising practices, 
policies, and procedures of its member companies. Throughout the 
process, the evaluated companies cooperated with NAI Staff and 
provided extensive information and documentation concerning their 
marketing practices. The review found that the evaluated companies 
met their compliance obligations with respect to the great majority of 
the substantive requirements of the NAI Code. Additionally, NAI 
member companies understand and take seriously their obligations 
under the NAI Code. 


In addition to the plan to enhance partner-provided notice 
discussed in this report, NAI Staff will continue to work with its 
members in the area of education, prominence and accessibility of 
NAI-required notice, and responses to consumer questions in 2010. 
NAI Staff also intends to continue its educational efforts, support 
members in their partner notice implementation efforts, and improve 
the NAI Web site. These efforts collectively will further enhance the 
transparency of behavioral advertising practices and of the choices 
available to consumers. 
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